Vulnerability-Scanning Tools

Vulnerability scanners look for holes in the armor of the target machines. Ed Skoudis tells how these tools can help you locate your system weaknesses and find any security holes before the hackers do.

This article is an excerpt from the book Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses (Prentice Hall PTR, 2001), by Ed Skoudis.

Like this article? We recommend

When attackers target a particular computer network, they use vulnerability-scanning
tools to look for holes in the armor of the target machines. Vulnerability scanners
are really based on a simple idea: Automate the process of connecting to a target
system, and check to see if a vulnerability is present. By automating the process,
we can quickly and easily check the target systems for many hundreds of vulnerabilities.
A vulnerability-scanning tool knows what many system vulnerabilities look like
and goes out across the network to check to see if any of these known vulnerabilities
are present on the target. A vulnerability-scanning tool will automatically
check for the following types of vulnerabilities on the target system:

Common configuration errors—Numerous systems have poor configuration
settings, leaving various openings for an attacker to gain access.

Default configuration weaknesses—Out of the box, many systems
have very weak security settings, often including default accounts and passwords.

Well-known system vulnerabilities—Every day, volumes of new
security holes are discovered and published in a variety of locations on
the Internet. Vendors try to keep up with the onslaught of newly discovered
vulnerabilities by creating security patches. However, once the vulnerabilities
are published, a flurry of attacks against unpatched systems is inevitable.

For example, a vulnerability-scanning tool will check to see if you are running
an older, vulnerable version of the BIND DNS server that allows an attacker
to take control of your machine. It will also check to see if you’ve misconfigured
your Windows NT system to allow an attacker to gather a complete list of users
through a NULL session. These are only two examples of the hundreds or thousands
of checks that the tool will automatically conduct during a scan. The attacker
will use a vulnerability-scanning tool that includes automated programs to check
for each of these kinds of vulnerabilities. Many vulnerability scanners also
include network-mapping programs and port scanners. While particular implementations
vary, most vulnerability-scanning tools can be broken down to the following
common set of elements, as shown in Figure
1.

Vulnerability database—This element is the brain of the vulnerability
scanner. It contains a list of vulnerabilities for a variety of systems
and describes how those vulnerabilities should be checked.

User-configuration tool—By interacting with this component
of the vulnerability scanner, the user selects the target systems and identifies
which vulnerability checks should be run.

Scanning engine—This element is the arms and legs of the vulnerability
scanner. Based on the vulnerability database and user configuration, this
tool formulates packets and sends them to the target to determine whether
vulnerabilities are present.

Knowledge base of current active scan—This element acts like
the short-term memory of the tool, keeping track of the current scan, remembering
the discovered vulnerabilities, and feeding data to the scanning engine.

Results repository and report-generation tool—This element
is the mouth of the vulnerability scanner, where it says what it found during
a scan. It generates pretty reports for its user, explaining which vulnerabilities
were discovered on which targets.

SARA and SAINT are both descendents of one of the early
vulnerability-scanning tools, SATAN (the Security Administrator Tool for
Analyzing Networks), by Wietse Venema and Dan Farmer. While the original SATAN
is certainly showing its age, its spirit lives on in SAINT and SARA. In addition
to these wonderful freeware offerings, many commercial vulnerability scanners
are also available, including these:

It is important to note that each of these commercial tools is highly
effective and also includes technical support from a vendor. While all of these
tools have their merits, my favorite vulnerability-scanning tool is the free,
open-source Nessus because of its great flexibility and ease of use. In
addition, commercial support is available from the folks who created Nessus at
http://www.nessus.org.
Because it is a superb illustration of vulnerability-scanning tools, we will
analyze the capabilities of Nessus in more detail.